SASB Disclosure

Our responses to the SASB disclosures were written in an attempt to include as much of the requested information as possible. This report is a continued step in our SASB journey and in some instances, only partial information is available at this time. We look forward to reporting more comprehensively under this framework in the years ahead.

Topic Accounting Metric Disclosure Code
Environmental Footprint of Hardware and Infrastructure (1) Total energy consumed, (2) percentage grid electricity, (3) percentage renewable See pages 6-8 in this report. TC-SI-130a.1
Data Privacy and Freedom of Expression Description of policies and practices relating to behavioral advertising and user privacy ADP is committed to compliance with privacy requirements and the protection of all personal data processed by ADP. ADP has adopted a set of privacy principles that serve as the foundation for our global privacy program, which includes our global privacy policy and our binding corporate rules (BCRs), all of which may be found at https://www.adp.com/about-adp/data-privacy.aspx TC-SI-220a.1
Number of users whose information is used for secondary purposes ADP does not currently track this information. TC-SI-220a.2
Total amount of monetary losses as a result of legal proceedings associated with user privacy Please see ADP’s 10-K and 10-Qs for a description of any material monetary losses as a result of legal proceedings associated with user privacy. TC-SI-220a.3
Total amount of monetary losses as a result of legal proceedings associated with user privacy Please see our 10-K and 10-Qs for a description of any materials requests from law enforcement. TC-SI-220a.4
Data Security (1) Number of data breaches, (2) percentage involving personally identifiable information (PII), (3) number of users affected ADPs board of directors recognizes that security is integral to our products, our business processes and infrastructure. The mission of our global security organization (“GSO”) is to protect client data and funds and prevent security incidents. Our GSO is tasked with monitoring physical and cybersecurity risks, including operational risks related to information security and system disruption. A cross-functional, enterprise-wide management program operates to ensure our global cybersecurity program’s effectiveness and members of the company’s executive committee, through an executive security council, routinely review strategy, policy, program effectiveness, standards enforcement and cyber issue management. Our board of directors and our audit committee are actively engaged in the oversight of our global cybersecurity program. More information on our program is available at https://www.adp.com/about-adp/data-security.aspx. For more information please see our Security at ADP page. TC-SI-230a.1
Description of approach to identifying and addressing data security risks, including use of third-party cybersecurity standards

ADPs board of directors recognizes that security is integral to our products, our business processes and infrastructure. The mission of our global security organization (“GSO”) is to protect client data and funds and prevent security incidents. Our GSO is tasked with monitoring physical and cybersecurity risks, including operational risks related to information security and system disruption. A cross-functional, enterprise-wide management program operates to ensure our global cybersecurity program’s effectiveness and members of the company’s executive committee, through an executive security council, routinely review strategy, policy, program effectiveness, standards enforcement and cyber issue management. Our board of directors and our audit committee are actively engaged in the oversight of our global cybersecurity program. More information on our program is available at https://www.adp.com/about-adp/data-security.aspx.

Below is a list of certifications in the US (valid through July 18, 2024):

ISO 9001:2015 - SRI Cert #021782 ISO/IEC 27001:2013 - SRI Cert #021783 ISO/IEC 27701: 2019 - SRI Certificate for US #4996-01/02/06 ISO/IEC 27701: 2019 - SRI Certificate for EMEA #4996-00-EUR-ISMS

For more information please see our Security at ADP page.
TC-SI-230a.2
Recruiting and Managing a Global, Diverse and Skilled Workforce Employee engagement as a percent Please see page 20 in this report. TC-SI-330a.2
Percentage of gender and racial/ethnic group representations for (1) management, (2) technical staff, and (3) all other employees Please see page 15 in this report. TC-SI-330a.3
Managing System Risk Number of (1) performance issues and (2) service disruptions; (3) total customer down-time

ADP products and services are designed and maintained with controls and procedures to prevent incidents. In addition, a dedicated global team monitors round-the-clock using additional comprehensive controls, including data analytics, to detect, investigate and respond to anomalies and incidents. This team addresses any reported or detected issues by following a defined incident lifecycle. This lifecycle is governed by policies and procedures, and uses an incident management system to record facts, impact and remedial actions taken. To complete the cycle further, reviews are undertaken to learn and improve.

More information is available at https://www.adp.com/about-adp/data-security.aspx.
TC-SI-550a.1
Description of business continuity risks related to disruptions of operations

ADP is committed to keeping our services and operations running smoothly to pro-vide our clients with the best service possible. It’s our priority to identify and miti-gate the technological, environmental, process and health risks that may interfere with the services we provide to our clients. For this reason, we have created an integrated framework that lays out our mitigation, preparedness, response and recovery process.

For more information, please see our Business Resiliency Fact Sheet as well as the risks outlined in our 10-K and our Proxy Statement.
TC-SI-550a.2